The paired app turns malicious. Every request hits the real policy engine and comes back with a machine-readable reason. Nothing here is simulated.
Approve a session first — then attack it.